Restrict Access to certain IPs in VPN

Unanswered Question
Mar 21st, 2007

Does anyone know if there is a way to restrict a user to access only a certain number of IP's through PIX when he/she is connecting through a VPN connection setup on the PIX itself ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kaachary Wed, 03/21/2007 - 16:10

You need to configure split tunneling for this. Only the ip address defined in split tunnel ACL will be accessible by the vpn client.

E.G. You want to restrict the clients to access an inside server only, say 192.168.1.1, and the client pool is 10.1.1.1-10.1.1.10.

Create an ACL :

access-list split permit ip host 192.168.1.1 10.1.1.0 255.255.255.0

vpngroup split-tunnel split

That should do it. To read more about split tunnel :

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#wp1099471

*Please rate if it helped.

-Kanishka

alexandre.paradis Thu, 03/22/2007 - 05:44

You can also remove the "sysopt connection permit-ipsec" line, and define an inbound ACL to your outside interface.

In that ACL, filter out the traffic from the source IP address (client pool)

Actions

This Discussion